Exchange certificate deletion and reassignment? Concerned about SMTP stopping

I have an exchange 2013 server on prem with a second server running as a dag server.  This is also a hybrid O365 deployment.  I started getting a warning that one of the wild cards certs we purchased was about to expire, so find another one, installed it on both servers.  Since I've never done this before I thought i'd test it on the dag server first.  when i went to reassign the smtp service i received an error that said "the certificate will not be used for external TLS connections with a FQDN of "dag server" because the ca signed cert "thumbprint" takes precedence.

I googled this and get varying answers, but if this is what happens on the dag, i'm now a little frightened to try switching this out on the primary exchange server.  

I can't seem to find anyone who has actually changed out certificates on an exchange server like this, or when they do it on youtube or whatever, they don't get any errors.
Has anyone ever loaded another cert and reapplied it to the smtp service?  I really don't want to bring down this thing.
andy mannAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Just use certs (normal or wildcard).

LE certs have been free for years + just work + you can setup a simple CRON job (several Windows equivalents) to check for auto renewal each night + auto renew will occur 10 days before cert expires + can also restart all your services (when renewals occur) to pull in renewed certs.

LE certs - setup once + forget.

My kind of certs!
timgreen7077Exchange EngineerCommented:
If your cert is about to expire you will need to create a new cert request so that you can upload to your certificate authority: see below link:

After your CA issues you a new cert you will have to install the cert to your exchange servers, and I would recommend using your CA instructions on installing the new Cert to exchange.

Once you install the new cert you will need to reassign the services like SMTP, IIS, POP and so forth to the new cert. See below:

Just a note, I would suggest getting a UCC SAN cert instead of a wild card. UCC SAN certs are recommended for Exchange.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andy mannAuthor Commented:
I've already installed the new cert, it is the reassignment of services I'm worried about.  I didn't think it would be any big deal until I received the error on the second server when I went to reassign the services.

My main concern is that SMTP stops running if there is some sort of problem with the new cert.  Has this ever happened to anyone?
timgreen7077Exchange EngineerCommented:
if you installed the cert correctly, reassigning services to the new cert will not cause an issue. that is what needs to be done.
timgreen7077Exchange EngineerCommented:
provided answer to author, closing ticket unless author reopens.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.